Insurers urged to separate AI risk

Kathryn Rattigan argued in a May 21 article that insurers and companies should stop treating artificial-intelligence exposure as a subset of cyber risk and begin addressing it in separate insurance discussions. Rattigan, writing for Data Privacy + Cybersecurity Insider, said early AI-related claims are arising not only from hacks or data theft but from routine business activity such as customer calls, chatbot exchanges, healthcare consultations and meeting transcripts. She said those fact patterns can create questions about consent, vendor use, privacy obligations and which policy responds. The piece adds to a broader insurance debate already underway. A July 2025 National Law Review article by Bradley Arant Boult Cummings lawyer G. Benjamin Milam said few cyber policies expressly addressed AI and that most insurers were still taking a “wait and see” approach, even as some began adding AI-specific terms or exclusions. A separate May 2025 National Law Review article by Hunton Andrews Kurth lawyers said specialized AI insurance products had begun entering the market, including coverage aimed at AI hallucinations and model-performance failures. (dataprivacyandsecurityinsider.com) ### Why isn’t ordinary cyber coverage enough? Rattigan wrote that the instinct to fold AI into cyber insurance is understandable because AI systems process data, depend on vendors and sit inside digital infrastructure. But she said that framing is incomplete because the claims emerging around AI are not limited to ransomware, hacks or data exfiltration. (natlawreview.com) Her examples were operational rather than purely security-based. A recorded customer call, she wrote, can raise separate questions about whether the call is being transcribed in real time, analyzed for content, retained by a third party or used to improve a vendor’s model. A procurement approval, she added, may not reveal whether customer content was opted into model training. (dataprivacyandsecurityinsider.com) ### Where does the legal exposure sit? Rattigan said the main exposure lies in the gap between what a business thinks its AI tools are doing and what those systems are actually doing. She wrote that vendor contracts may fail to make clear whether a provider is only supplying a tool or is independently receiving, enriching and using the data that flows through it. (dataprivacyandsecurityinsider.com) That distinction matters for insurance because it can affect consent, privacy obligations, regulatory exposure and coverage allocation, according to the article. In other words, the question is not only whether an AI system was secure, but whether its use changed the legal relationship between a company and its customers, patients, employees, vendors or regulators. (dataprivacyandsecurityinsider.com) ### What does the existing insurance market look like? Milam wrote in July 2025 that the June 2025 issue of The Betterley Report’s Cyber/Privacy Market Survey identified at least three insurers incorporating specific definitions or terms for AI into cyber policies. He said few cyber policies expressly addressed AI, however, and that it was unclear whether AI-specific wording in a cyber policy necessarily expanded coverage when AI was only a vector for a traditional cyber incident. (dataprivacyandsecurityinsider.com) Hunton Andrews Kurth lawyers Lawrence J. Bracken II, Michael S. Levine and Alex D. Pappas wrote in May 2025 that two affirmative AI coverages had recently entered the market. They cited Armilla Insurance Services’ AI liability policy, underwritten by certain Lloyd’s underwriters including Chaucer Group, and a Google Cloud partnership with Beazley, Chubb and Munich Re offering affirmative AI coverage for some customers. (natlawreview.com) ### What are insurers and buyers being told to do now? Rattigan said companies that move first will document what users were told, what settings were active, what vendor terms applied and what data was used for which purpose. She described AI risk as a governance, consent, procurement, evidence and business-conduct issue, not only a cyber-control problem. (natlawreview.com) For insurers and corporate buyers, that points to a more detailed underwriting conversation. The practical review would center on disclosures to users, retention and training settings, third-party access to data, and whether a loss looks like a cyber event, a professional-liability event, a privacy claim or a separate AI-specific exposure. Existing cyber, D&O and technology E&O policies may still respond in some cases, but the current market shows insurers are also testing stand-alone AI wording and affirmative AI products. (dataprivacyandsecurityinsider.com)